In chapter 8 we look at Controls specifically designed for the Information Systems Function.
COBIT
COBIT (Control Objectives for Information and Related Technology) was developed by the Information Systems Audit and Control Foundation to provide guidance - to managers,users and auditors - on the best practices for the management of information technology.
(What is this?) IT resources:
Data: Objects in their widest sense (i.e., external and internal), structured and nonstructured, graphics, sound, etc.
Application sytems: Sum of all manual and programmed procedures reflecting business processes.
Facilities: Facilities are all resources used to house and support information systems.
People: People include staff skills; awareness; and productivity to plan, organise, acquire, deliver, support, and monitor information systems and services.
COBIT's defintion of Control: The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that undesired events will be prevented or detected and corrected.
Information Systems Function (ISF):
Define, what is this?
An organisation's information systems function (ISF) is the department or function that develops and operates an organization's information system. This department/function is normally called the information services department, IT department, or data processing department. It is composed of people, procedures, and equipment.
Types of Organizational structurs for ISF:
Centralized-–CIO is central leader of all information systems functions
Decentralized-assigns personnel to non-central organizational units
Functional-assigns personnel to skills based units
Matrix-assembles work groups or teams comprised of members from different functional areas under the authority of a team leader
Project-establishes permanent systems development structures such as financial systems development
Summarize the key control concerns (similar to business exposures) for the various ISF functions (see if you can combine similar concerns by hierarchical layer in the organization chart):
Pervasive data conversion errors
Unauthorized software changes
Unauthorized computer operations
Problems not being resolved in timely manner
Acquired technology is consistent with organizational resource plans and technolgy infrastructure
COBIT Control Process Domains:
Planning and Organization
Process#1: Establish strategic vision for IT.
Process#2: Develop tactics to plan, communicate, and manage realization of the strategic vision.
Acquistion and Development
Process#3: Identify automated solutions.
Process#4: Develop and acuire IT solutions.
Process#5: Integrate IT solutions into operational processes.
Process#6: Manage changes to existing IT systems.
Delivery and Support
Process#7: Deliver required IT services.
Process#8: Ensure security and continous services.
Process#9: Provide support services.
Monitoring
Process#10: Monitor operations.
Segrgation of Duties:
An organizational control plan that consists of separating the four basic functions of event processing--authorizing, executing, recording, and safeguarding resources resulting from consummating events.
Segregating Events Processing:
Segregating Information Systems Functions: is done to control unauthorized use of and/or changes to the computer and its stored data and programs.
Personnel control Plans:
Key Control Issues: Avoid business exposures caused by:
Controlling Information Systems: IT Processes:
In chapter 8 we look at Controls specifically designed for the Information Systems Function.COBIT
COBIT (Control Objectives for Information and Related Technology) was developed by the Information Systems Audit and Control Foundation to provide guidance - to managers,users and auditors - on the best practices for the management of information technology.(What is this?) IT resources:
COBIT's defintion of Control: The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that undesired events will be prevented or detected and corrected.
Information Systems Function (ISF):
Define, what is this?An organisation's information systems function (ISF) is the department or function that develops and operates an organization's information system. This department/function is normally called the information services department, IT department, or data processing department. It is composed of people, procedures, and equipment.
Types of Organizational structurs for ISF:
Summarize the key control concerns (similar to business exposures) for the various ISF functions (see if you can combine similar concerns by hierarchical layer in the organization chart):
COBIT Control Process Domains:
Segrgation of Duties:
An organizational control plan that consists of separating the four basic functions of event processing--authorizing, executing, recording, and safeguarding resources resulting from consummating events.Segregating Events Processing:
Segregating Information Systems Functions: is done to control unauthorized use of and/or changes to the computer and its stored data and programs.
Personnel control Plans:
Key Control Issues: Avoid business exposures caused by:----